Do Cyber-Offensive Strategies Make Sense?

The International Information Systems Security Certification Consortium (ISC2) panel debated the merit of taking an offensive approach to IT security.

When it comes to modern enterprise IT security, the best defense isn't necessarily about having a good offense. A panel of experts at the International Information Systems Security Certification Consortium (ISC2) Security Congress' 2013 event debated the issue of cyber-offensive strategies on Sept. 27. The panel concluded that offensive strategies aren't likely the right approach for most, if not all, enterprise IT shops.
The concept behind the panel was to talk about whether it made sense for enterprises to go vigilante against cyber-threats, Adam Meyers, vice president of intelligence at security vendor CrowdStrike, explained. Vigilantism is unlikely to ultimately be successful, he said, adding that enterprises don't need to focus on how to get back at an attacker, he said.
"What enterprises need to do is focus on delivering security that is effective," Meyers told eWEEK. "The way you make it effective is by knowing who is coming after you, how they are coming after you and what they are going to use against you."
With the right intelligence, an enterprise can effectively defend and mitigate the risks from modern attacks. CrowdStrike is strongly focused on security intelligence overall; its Falcon platform fuses real-time detection of targeted attacks with actionable security intelligence.

Understanding what an attack and an attacker is all about offers an organization a variety of options for response, Meyers said, adding that enterprises can stop an attack or perhaps even watch an attack in order to learn more about the attacker. An attack can also be an option to provide false information to the attacker, he said.

When it comes to actually engaging in some form of actual discourse with an attacker, caution is called for, said Hord Tipton, executive director of ISC2. "I would be nervous about engaging with an attacker in a retaliatory fashion," Tipton said.
There is so much data available today, and understanding how and when to use it is a big question for IT security professionals, Tipton said. In terms of tipping off and sharing information with government agencies, such that one of them could take action, Tipton also advises caution.
"Not to second-guess all of our three-letter U.S. government agencies, but all of them have a lot of access to a lot of data," Tipton said.
From an offensive perspective, Tipton said he considers the capacity to take some form of action a political question. International laws often fail to address the issue of offensive cyber-security actions and what the consequences should be, he said.
Enterprise organizations are simply not suited or prepared to conduct offensive actions, Meyers said. "There is a reason why the military is involved in that sort of thing," Meyers said. "They can effectively gauge what collateral damage, if any, might occur and forecast what the outcome might be."
For Tipton, going after attackers is like fighting the mythical hydra. "You cut off one head, and nine grow back," Tipton said. "We have to start out on the defensive end of the skirmish."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.